The Hacker News — Cyber Security, Hacking, Technology News

As speculated by the researcher who disclosed Meltdown and Spectre flaws in Intel processors, some of the Intel processors will not receive patches for the Spectre (variant 2) side-channel analysis attack

In a recent microcode revision guidance (PDF), Intel admits that it would not be possible to address the Spectre design flaw in its specific old CPUs, because it requires changes to the processor architecture to mitigate the issue fully.

The chip-maker has marked "Stopped" to the production status for a total 9 product families—Bloomfield, Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn, SoFIA 3GR, Wolfdale, and Yorkfield.

These vulnerable chip families—which are mostly old that went on sale between 2007 and 2011—will no longer receive microcode updates, leaving more than 230 Intel processor models vulnerable to hackers that powers millions of computers and mobile devices.

According to the revised guidance, "after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons."

Intel mentions three reasons in its documentation for not addressing the flaw in some of the impacted products:

Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)

Limited Commercially Available System Software support

Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.

Spectre variant 2 vulnerability (CVE-2017-5715) affects systems wherein microprocessors utilize speculative execution and indirect branch prediction, allowing a malicious program to read sensitive information, such as passwords, encryption keys, or sensitive information, including that of the kernel, using a side-channel analysis attack.

However, these processors can install pre-mitigation production microcode updates to mitigate Variant 1 (Spectre) and Variant 3 (Meltdown) flaws.

"We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback." says an Intel spokesperson via email.

Besides Intel, AMD Ryzen and EPYC processors were also found vulnerable to 13 critical vulnerabilities that could allow an unauthorized attacker to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.

AMD has acknowledged reported vulnerabilities and promised to roll out firmware patches for millions of affected devices in the coming weeks.

However, CTS Labs, the security firm that discovered and disclosed the vulnerabilities, claimed that AMD could take several months to release patches for most of the security issues, where some of them cannot be fixed.

After leaving million of devices at risk of hacking and then rolling out broken patches, Intel has now released a new batch of security patches only for its Skylake processors to address one of the Spectre vulnerabilities (Variant 2).

For those unaware, Spectre (Variant 1, Variant 2) and Meltdown (Variant 3) are security flaws disclosed by researchers earlier last month in processors from Intel, ARM, and AMD, leaving nearly every PC, server, and mobile phone on the planet vulnerable to data theft.

However, later the chip maker rollbacked the firmware updates and had to tell users to stop using an earlier update due to users complaining of frequent reboots and other unpredictable system behavior after installing patches.

Although it should be a bit quicker, Intel is currently working on new patches and already in contact with hardware companies so that they can include the new microcode patch in their new range of firmware updates.

So, everyone else still has to wait for the company to release microcode updates for their systems.

"Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days," the company says in a blog post.

"We also continue to release beta microcode updates so that customers and partners have the opportunity to conduct extensive testing before we move them into production."

Intel has strongly urged its customers to install this update as soon as possible, because if not patched, these processor vulnerabilities could allow attackers to bypass memory isolation mechanisms and access everything, including memory allocated for the kernel containing sensitive data like passwords, encryption keys, and other private information.

Moreover, after the release of proof-of-concept (PoC) exploit for the CPU vulnerabilities last month, hundreds of malware samples are spotted in the wild, most of which are based on the publicly released exploit and designed to work on major operating systems and web browsers.

Although we have not yet seen any fully-featured malware based on Spectre and Meltdown vulnerabilities, it doesn't take much time for hackers to develop one.

So, users are urged to always keep a close eye on any update that becomes available on their system, and install them as soon as they become available.